PSIRT Note: CVE-2015-1571 and Fortinet_factory certificate
Description
A recent claim by an external researcher that FortiOS 5.0.7 uses the same certificate (Fortinet_factory) and private key across different customer installations is not correct.
Every Fortinet_factory certificate is unique per unit. The Fortinet_factory certificate is only generated on hardware based models and uses the BIOS encoded serial number which is unique in the CN field.
An official FortiGuard statement is available at the following URL in the impact note section: http://www.fortiguard.com/advisory/FG-IR-15-002/
A disputed flag has been raised with MITRE for CVE-2015-1571.
Every Fortinet_factory certificate is unique per unit. The Fortinet_factory certificate is only generated on hardware based models and uses the BIOS encoded serial number which is unique in the CN field.
An official FortiGuard statement is available at the following URL in the impact note section: http://www.fortiguard.com/advisory/FG-IR-15-002/
A disputed flag has been raised with MITRE for CVE-2015-1571.